4 Replies Latest reply on Oct 25, 2013 2:57 PM by LAKSHMI GUDAVALLI

    management console security - racf - error

    LAKSHMI GUDAVALLI Newbie

      Hi,

       

      I am new to jboss. I am trying to configure the security for jboss management console using RACF/LDAP. I have gone though the some of the suggestions from community members and resolved most issue, but still I get error. I am using Jboss 7.1.1. and running in standalone mode.

       

      I have made sure that 'TESTUSER" exists in the ADMINGROUP in RACF. We have websphere security configured with same credentials, which works fine - thought it need a lot more details.

       

      Could you please check  and let me know what could be wrong in my config?

       

      <management>

              <security-realms>

                  <security-realm name="racf_ldap">

                      <authentication>

                          <ldap connection="racf_ldap" base-dn="CN=RACFLDAP,C=US" user-dn="PROFILETYPE=USER,CN=RACFLDAP,C=US">

       

                             <!-- <username-filter attribute="racfid=%v"/> -JBAS015231: User 'TESTUSER' not found in directory-->

       

                             <!-- <advanced-filter filter="(&amp;(racfuserid={0})(racfgroupid=ADMINGROUP))" />

                                    <advanced-filter filter="(RACFID={0},PROFILETYPE=USER,CN=RACFLDAP,C=US)" />

                                - JBAS015231: User 'TESTUSER' not found in directory -->

                               <advanced-filter filter="(RACFID={0})" />

                          </ldap>

                      </authentication>

                  </security-realm>

                  <security-realm name="ApplicationRealm">

                      <authentication>

                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                  </security-realm>

              </security-realms>

              <outbound-connections>

                    <ldap name="racf_ldap" url="ldaps://ldap.comapny.org" search-dn="RACFID=racf_bind_user,PROFILETYPE=USER,CN=RACFLDAP,C=US" search-credential="racf_bind_user_passwd" />

              </outbound-connections>

              <management-interfaces>

                  <native-interface security-realm="racf_ldap">

                      <socket-binding native="management-native"/>

                  </native-interface>

                  <http-interface security-realm="racf_ldap">

                      <socket-binding http="management-http"/>

                  </http-interface>

              </management-interfaces>

          </management>

       

      Error message:

       

      11:48:45,597 FINE  [com.sun.net.httpserver] (HttpManagementService-threads - 1) POST /management HTTP/1.1 [401  Unauthorized] ()

      11:48:53,584 DEBUG [org.jboss.as.domain.http.api] (HttpManagementService-threads - 1) Callback handle failed.: java.io.IOException: JBAS015220: Unable to perform verification

          at org.jboss.as.domain.management.security.UserLdapCallbackHandler.handle(UserLdapCallbackHandler.java:220) [jboss-as-domain-management-7.1.1.Final.jar:7.1.1.Final]

          at org.jboss.as.domain.http.server.security.AuthenticationProvider$1.handle(AuthenticationProvider.java:80) [jboss-as-domain-http-interface-7.1.1.Final.jar:7.1.1.Final]

          at org.jboss.as.domain.http.server.security.BasicAuthenticator.checkCredentials(BasicAuthenticator.java:135) [jboss-as-domain-http-interface-7.1.1.Final.jar:7.1.1.Final]

          at org.jboss.com.sun.net.httpserver.BasicAuthenticator.authenticate(BasicAuthenticator.java:77)

          at org.jboss.as.domain.http.server.security.BasicAuthenticator._authenticate(BasicAuthenticator.java:102) [jboss-as-domain-http-interface-7.1.1.Final.jar:7.1.1.Final]

          at org.jboss.as.domain.http.server.security.BasicAuthenticator.authenticate(BasicAuthenticator.java:79) [jboss-as-domain-http-interface-7.1.1.Final.jar:7.1.1.Final]

          at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64)

          at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)

          at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710)

          at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78)

          at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:682)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_11]

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_11]

          at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_11]

          at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.0.0.GA.jar:2.0.0.GA]

       

      Caused by: java.io.IOException: JBAS015231: User 'TESTUSER' not found in directory.

          at org.jboss.as.domain.management.security.UserLdapCallbackHandler.handle(UserLdapCallbackHandler.java:193) [jboss-as-domain-management-7.1.1.Final.jar:7.1.1.Final]

          ... 14 more

       

       

      I tried to get the trace by enabling the trace on some of these modules, but I haven't got any usefull information.

       

      <logger category="org.jboss.security">            <level name="TRACE"/>
          </logger>
          <logger category="org.jboss.as.domain.http.server.security">
          <level name="TRACE"/>
          </logger>
          <logger category="org.jboss.com.sun.net.httpserver">
          <level name="TRACE"/>
          </logger>
          <logger category="org.jboss.as.domain.http.api">
          <level name="TRACE"/>
          </logger>
          <logger category="com.sun.jndi.ldap.LdapCtx">
          <level name="TRACE"/>
          </logger>
          <logger category="com.sun.net.httpserver">
          <level name="TRACE"/>
          </logger>   
          <logger category="org.jboss.as.domain">
          <level name="TRACE"/>
          </logger>   
          <logger category="org.jboss.as.domain.security">
          <level name="TRACE"/>
          </logger>   
          <logger category="org.jboss.as.domain.management.security">
          <level name="TRACE"/>
          </logger>   
          <logger category="org.jboss.as.domain.http.server">
          <level name="TRACE"/>
          </logger>   
          <logger category="org.jboss.as.domain.management">
          <level name="TRACE"/>
          </logger>   
          <logger category="org.jboss.sun.net.httpserver.AuthFilter">
          <level name="TRACE"/>
          </logger>

       

       

      Thanks in advance.

       

       

       

      -Lakshmi

        • 1. Re: management console security - racf - error
          Darran Lofthouse Master

          You may be better to use either a self build of WildFly master or wait for the Beta1 release of WildFly 8 as we have added considerable TRACE logging in this area to resolve LDAP based authentication issues.

          • 2. Re: management console security - racf - error
            LAKSHMI GUDAVALLI Newbie

            I have tried WildFly 8.0 alpha4, which has another issue with <outbound-connections>. Server startup failed with below error. I looked at the schema and make sure the config is good as per the schema. So far no solution, I will try with another version - A2 or A3 and see it works

             

            14:50:15,002 DEBUG [org.jboss.as.config] (MSC service thread 1-6) VM Arguments: -XX:+TieredCompilation -XX:+UseCompressedOops -Dprogram.name=standalone.bat -Xms64M -Xmx512M -XX:MaxPermSize=256M -Djboss.server.default.config=standalone-full.xml -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Dorg.jboss.boot.log.file=C:\lgudavalli\Tech\jboss\wildfly-8.0.0.Alpha4\standalone\log\server.log -Dlogging.configuration=file:C:\lgudavalli\Tech\jboss\wildfly-8.0.0.Alpha4\standalone\configuration/logging.properties

            14:50:15,876 ERROR [org.jboss.as.server] (Controller Boot Thread) JBAS015956: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration

            at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:112) [wildfly-controller-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at org.jboss.as.server.ServerService.boot(ServerService.java:322) [wildfly-server-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:245) [wildfly-controller-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_11]

            Caused by: java.lang.UnsupportedOperationException

            at org.jboss.as.server.parsing.StandaloneXml$ManagementXmlDelegate.parseOutboundConnections(StandaloneXml.java:1316) [wildfly-server-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement_2_0(ManagementXml.java:336) [wildfly-domain-management-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement(ManagementXml.java:264) [wildfly-domain-management-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:455) [wildfly-server-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:147) [wildfly-server-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:109) [wildfly-server-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

            at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

            at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:104) [wildfly-controller-8.0.0.Alpha4.jar:8.0.0.Alpha4]

            ... 3 more

            • 3. Re: management console security - racf - error
              LAKSHMI GUDAVALLI Newbie

              After trying out different combination, we decided to take the network trace. It seems there are some characters are being added to user id

              This is what we saw.

               

              racfid..TESTUSER0#.!profiletype=USER,cn=RACFLDAP,c=US

               

              We took the trace for websphere and it looks like this

               

              .......y.......racfid..TESTUSER0...1.1..0...2.16.840.1.113730.3.4.209...d4.0racfid=TESTUSER0,profiletype=USER,cn=RACFLDAP,c=US0.0....e.

               

              our security-realm.

               

              <security-realm name="racf_ldap">

              <authentication>

                <ldap connection="racf_ldap" base-dn="CN=RACFLDAP,C=US" user-dn="profiletype=USER,cn=RACFLDAP,c=US" >

                 <advanced-filter filter="racfid={0}" />

                </ldap>

              </authentication>

              </security-realm>

              • 4. Re: management console security - racf - error
                LAKSHMI GUDAVALLI Newbie

                Never thoght I would spend so much time in a silly problem.

                 

                I havn't added the 'recursive="true"'. Once I add it, it worked

                 

                <ldap connection="racf_ldap" recursive="true" base-dn="CN=RACFLDAP,C=US" user-dn="PROFILETYPE=USER,CN=RACFLDAP,C=US">